CFPB’s Mass Data Collection Threatens Consumers’ Financial Safety
December 16, 2015 -
The Consumer Financial Protection Bureau (CFPB) has undertaken a dozen large-scale data collection efforts, gathering highly sensitive information on millions of American consumers even as the Bureau’s director has acknowledged that data held by the CFPB is “not 100 percent secure.”
The Financial Services Oversight and Investigations Subcommittee held a hearing today to examine the CFPB’s data collection and the dangers it poses to consumer privacy and financial safety.
“Not a day goes by that Americans are not made aware of yet another breach of sensitive information. Whether it’s the public or private sector, vast collections of personal consumer data are a prime target for cyberattacks. Aside from the fact that the CFPB does not need to be collecting this vast amount of information to carry out its regulatory mission, it’s troubling that it has not taken more appropriate steps to secure this data. In fact, before this Committee just last year, CFPB Director Cordray said that he could not rule out the potential for a data breach at the Bureau,” said Subcommittee Chairman Sean Duffy (R-WI).
“We don’t know – and the American people don’t know – how much personally identifiable information the CFPB retains, how that data is protected and what the Bureau plans to do with all that data,” Chairman Duffy added.
A report from the Government Accountability Office (GAO) noted "serious concerns about the privacy and security of the consumers whose data are being collected by the CFPB.”
- The CFPB is collecting more information than is necessary to execute its regulatory mission. The CFPB has already collected information on 87 percent of the credit card market—and in the past has stated that it is seeking to enlarge this number to 95 percent of all credit card accounts—but it only needs to sample approximately one percent of the market to achieve its stated goals. As of September 2014, just one of the CFPB’s 12 mass data collections had already collected information on 173 million loans.
- The CFPB is alarmingly non-transparent about its mass data-collection program—the agency does not reveal to the public specifically what data it collects, nor does it notify specific consumers about what information it has gathered about them or how it will be using it. The CFPB collects account-level and sometimes even transaction-level data that captures multiple aspects of consumers’ financial lives, such as information about credit cards and checking accounts.
- The CFPB’s data security program has multiple troubling weaknesses. The Bureau’s Information Security Continuous Monitoring program is rated at Level 1 out of 5—defined as “ad hoc,” and the data security protecting the Bureau’s consumer complaint database was found by the Inspector General to be deficient in multiple areas. The CFPB lacks even internal written procedures for “anonymizing” the data is uses.
Topline Witness Quotes:
“The CFPB is prohibited in Section 1022 of Dodd-Frank from collecting personally identifiable information on Americans, but the Bureau is doing so anyway. And it is doing so at a massive scale that rivals the NSA’s most controversial collection programs, but for much less compelling reasons.” – Former House Speaker Newt Gingrich
“The Consumer Financial Protection Bureau’s data collection activities run afoul of our Fourth Amendment protections. These extensive data collections are in no way necessary for the CFPB to achieve its statutory mission. Such could be accomplished in a manner that does not offend the Fourth Amendment, while also allowing the CFPB to fulfill its consumer protection responsibilities. I would also remind the Subcommittee that the risks deriving from the CFPB’s data collection efforts are also present at other financial regulators as well.” – Dr. Mark Calabria, Director of Financial Regulation Studies, Cato Institute
“With a commission structure, composed of a bipartisan council of policymakers, there is less room for abusing data, and less opportunity to do so as well. Under the light of the variety of viewpoints that comes with a council or a commission, you have different people posing different questions from differing backgrounds and insights, all more likely to poke and prod the data, and all of them likely to be intolerant of information legerdemain.” - Wayne Abernathy, Executive Vice President for Financial Institutions Policy and Regulatory Affairs, American Bankers Association